[Rack] Noisebridge Domain Question
danny at spesh.com
Fri Dec 7 06:08:15 UTC 2012
On Thu, Dec 6, 2012 at 7:13 PM, Rubin Abdi <rubin at starset.net> wrote:
> Andy Isaacson wrote, On 2012-12-06 10:19:
>> If we provide a HTTP-only redirect at noisebridge.com then a MITM can
>> intercept there.
> Correct me if I'm wrong, but a MITM attack can happen regardless of what
> that domain is doing, or not doing (like in its current state).
Nah, redirecting allows a specific attack -- it's the specific reason
for HSTS and pinning, both of which Noisebridge is (kind of weirdly) a
specifically good example of. For a long time, it was basically just
us and Paypal doing things correctly.
> Secondly we're Noisebridge, all about people gaining easy access to
> excellent things. I understand wanting to be a good role model with
> running a properly secure server and a slew of domains, but stating that
> we should not redirect other similar domains we own to information we're
> freely giving due to some security concerns that someone might man in
> the middle a free open wiki and list serve sounds about the same as
> setting up security cameras at our front door in order to keep out the
> unwanted people who still get in.
I'm not totally against it, but obtusely I don't get when this
happens. Do people type 'noisebridge.com' and then go ahhh this must
not exist very often?
I'd be willing to splash a bit of money on IPs certificates, cocaine
and cigars to do this properly and get a multiple-domain certificate
if this was a real problem, btw.
> I wouldn't be saying all this if we were running a BitCoin bank service,
> I would be saying something more to the extent of, "What the fuck are
> you doing running a BitCoin site off of Noisebridge?! Jesus fuck pork
> chop sandwiches! What kind crazy person are you?!"
> rubin at starset.net
> Rack mailing list
> Rack at lists.noisebridge.net
More information about the Rack